- Corporate Security
- Governance, Risk and Compliance
- Information Security
Enterprise Risk Management has taken a foothold in today’s business environment. Since the enactment of the Sarbanes-Oxley Act of 2002 (SOX), public companies have taken steps to strengthen their internal controls over financial reporting and enhance their ability to comply with rules and regulations. For the past two decades, in response to numerous data breaches, accounting and corporate scandals—as well as increased enforcement of Foreign Corrupt Practices Act of 1977 (FCPA) violations by the U.S. Securities and Exchange Commission and Department of Justice—there has been an increase in corporate boards’ awareness and management’s focus on governance and risk management. Many organizations have turned to ERM as a solution.
Not only does an ERM program help minimize risks and reduce the impact and severity of negative events, it also allows companies to become more efficient, make better decisions based on data and create a risk culture. In fact, mature and successful ERM programs have been shown to reduce earnings volatility, strengthen capital position and increase profitability. But not all organizations are aware of what it takes to implement and operate a successful ERM program. Below, we identify what all effective ERM programs have in common, three ways to prove the value of ERM and how technology like Resolver’s enterprise risk management software plays a critical role in the success of an ERM program.
ERM programs that have proved successful typically have several things in common, including buy-in across all departments, resources and money allocated toward the cause, continuous improvement of the program, and measurement of the program’s success.
Sometimes, we see ERM programs initiated at the request of the board, at the request of the CEO, or as a result of something negative that has happened to the organization. Organizations need to have the support, engagement and buy-in from the C-suite and top managers for ERM to be a success. There should be an appointed champion at the executive level that will present ERM program data and performance to the board of directors or the financial risk committee.
In order for ERM to stick, it is all about answering the question “why” and then empowering people, providing them with the tools they need, and giving them the autonomy to own it themselves so it becomes part of the fabric of the business—not something that is imposed, but rather a part of how they get things done. With this approach, that explicit link with the strategy, goals and objectives of the organization may be missing. When something starts up, it is brand new, it is fresh, it is the latest thing on the agenda, so a lot of people jump on it. But after about a year or two, the interest begins to fade. So, getting company-wide buy-in from the start—and keeping all stakeholders engaged and accountable—is one of the most important aspects for a successful, long-term ERM program.
Most risk assessment activity takes place when the executive management team has the time to do it, and that is typically not in the midst of planning and budgeting. Unfortunately, in most organizations, the risk assessment takes place three months after the planning and budgeting is done, which is when teams have time. However, that is not the time you want to do it. Push for risk assessments to occur in the midst of developing upcoming plans and devising a budget. An ERM program cannot survive without allocated resources.
Those who assume the most ownership of an organization’s ERM program have the task of continuous innovation. They should always be thinking, “How can I do things differently?” An ERM program needs to remain fresh. Failing to update and innovate leads to an ineffective ERM program.
What doesn’t get measured, doesn’t get managed. Many organizations with strong, mature ERM programs in place say measurement is key. They try to quantify efforts and have leading indicators around risk and performance to show the variables and the delta between the work they are doing versus if they did nothing at all. Below, we look at ways to measure the value of an ERM program.
Many organizations ask, “How can I quantify or demonstrate the value of a program that is supposed to eliminate or mitigate the bad things from happening in the first place? How do I prove the ROI of something that doesn’t happen?” The following are a few of the most common ways to successfully prove the value of your ERM program.
For example, a global study conducted by EY concluded that companies in the top 20% of risk maturity generated three times the level of the EBITDA (earnings before interest, taxes, depreciation and amortization) as those in the bottom 20%.
Some of the most important metrics used in valuing an ERM program include total cost of risk, annual loss expectancy, risk coverage ratio and reputation quotient. Measuring these—and many other types of risk metrics—becomes a daunting task when relying upon outdated methods of measurement, like spreadsheets.
Attempting to manage company-wide risks with a series of jumbled, complicated spreadsheets is a recipe for disaster. Organizations should have a single technology platform in place to streamline the process of identifying, ranking and addressing risks, among other things. This software can show past mitigated risks, trending data, and the financial benefits of such actions.
Using dedicated software to manage ERM is a necessity in today’s business environment. Effective ERM software should provide management and end-users with the information that they need to understand risk, make data-driven decisions and reduce negative impact. The software must enable risk owners to effortlessly submit risk assessments and share data across the entire enterprise, and align to globally accepted risk management principles and frameworks including ISO 31000, Basel and COSO ERM.
What does the board of directors want to see when it comes to ERM? Most prefer a short, concise list of the top risks, confidence that the ERM program is designed and operating well, and how the program is helping the company achieve its objectives. Your ERM technology should allow users to produce meaningful board-ready reports, gain access to real-time dashboards, promote a risk culture through collaboration, and enable powerful automation. It should also:
With evidence that a company’s financial performance is tightly correlated to the level of integration and coordination across risk, control and compliance functions, many organizations are now actively working to embed a risk culture throughout their business. While the ultimate aim is to fuel better performance and achieve a competitive advantage, many are realizing the wide range of benefits created from an enterprise risk management program, and software is helping them do just that.
The RIMS 2019 Annual Conference, the largest risk event of the year, took place in Boston from April 28th to May 1. During the event, we presented a debate on the risks versus the rewards for organizations regarding the implementation of new technology. This is the second installment in this debate series. Previously, we debated the risks and rewards of technological innovations.
On Team Reward was Sou Ford, the Senior VP for Willis Tower Watson. Sou got her start in 1991 with an opportunity to join the training program at Aetna Bond. From there, she went to Marsh as a broker and then to Reliance National as an underwriter for E&O. After a transfer to Atlanta in 2003, she joined Willis Tower Watson in 2010 and joined the cybersecurity team in 2016.
On Team Risk was Mark Plumer, Partner at Pillsbury Winthrop Shaw Pittman LLP. Mark has been practicing law for over 30 years and has always acted on behalf of policyholders. He represents clients through various kinds of insurance-related matters, from the very beginning stages of selecting an insurance policy, all the way up through contentious claims. He holds several accolades and has negotiated dozens of settlements of complex claims outside of litigation, with some valued in the billions.
Both panelists were asked to take stances on Team Reward and Team Risk for the purpose of this debate. Their responses to the following statements do not reflect their actual opinions or the opinions of the organizations that they work for.
Team Reward: Companies either need to innovate or die. Risk management is there so that you can continue to innovate, thrive, and grow. You can’t let insurance or cyber risks dictate your company’s actions. You need to do what you need to do and the risk manager is will deal with the ramifications and find ways to transfer any risks.
Team Risk: Both the benefits and the concerns should be of equal importance. One isn’t more important than the other. Although many say you have to innovate or die, it’s just as possible to innovate and die. If you don’t manage your risks well, you can wind up in serious trouble. Without considering the risks, you might end up like Theranos. A risk assessment is needed with the roll-out of each new technology.
Team Reward: The risk manager should be involved, but he or she shouldn’t be a hurdle or obstacle. Your risk manager should think of the new technology from a risk management perspective. Their job is to help you to understand exactly what the risks are so that you know what you’re getting into. And, while new technology may come with a risk, the greater risk actually comes from the people using that technology. 2/3rds of the issues are people initiated, whether they be due to negligence, bad employees, or other human error.
Team Risk: The risk manager isn’t supposed to be an expert in the new technology. He or she is, however, an expert in managing potential risks. Because of this, it’s important for the risk manager to be involved from the very beginning. You need to build teams when innovating new products. Those teams need to include relevant stakeholders, which includes the risk manager. Risk management is all about communication, understanding the risks, and whether or not you can accept them or should try to transfer them.
Team Reward: Cyber insurance won’t help you to mitigate losses. It can, however, be helpful if you’re trying to protect your balance sheet. If you have a lot of cash and don’t experience quarterly dips and spikes, then maybe it’s not worth it. For some, it may only be worth the expense if you’re trying to comply with contracts or bring in business.
Team Risk: There are actually several ways to protect yourself, with insurance being just one of a four-point plan. These methods include:
Insurance policies vary widely, and they can be very complicated. While insurance is important, it’s actually the least important of the four. It’s only worth the expense if you buy the right policy that covers the risks you care about the most.
Team Reward: In order to gain something, you have to give something up. Everything comes at a cost. When you download an app, you’ve already surrendered some privacy, even though you might not realize it. Most people don’t read the fine print. The concept of the right to privacy is a myth.
Team Risk: This is a normative question. It really all depends upon the individual, as people all have different views regarding personal privacy. From a legal standpoint, there is a growing body of statutory guidance. While there are no national privacy laws yet in the United States, almost all states have some privacy laws. Some states – like California – are even beginning to put together quite comprehensive laws. Legislatures are beginning to speak for people and determining what rights will be protected.
Team Reward: Replacing humans with robots can actually be very beneficial. By replacing humans, you can reduce accidents, workers’ compensation claims, improve your company’s productivity, and cut down on costs. Robots can’t replace humans when it comes to jobs that require empathy or compassion, but they can replace humans when it comes to repetitive or physical tasks.
Team Risk: It’s very important to be thoughtful about the risks of replacing humans with robots. For instance, what if you replace humans with a very expensive piece of equipment that suddenly stops working or malfunctions and causes injury to persons or property? While it’s great to be economical, you still need to be cognizant of the risks and hidden costs of using robots to replace humans.
Late last year, we conducted a survey where we asked professionals in the financial sector about what they identify as the top risks that will impact their organizations. While the answers varied widely in scope depending on the industry of the specific respondent, there were a few common responses that we continued to come across. Below are the top 12 risks that financial institutions should be aware of as identified by risk managers.
One of the most commonly cited fears was damage to their company’s reputation. This is not surprising, as reputation is a vital ingredient to business success, whether in regards to customer trust or employee loyalty. Companies that inspire employees and customers alike find great success today, as was the case with the Massachusetts-based supermarket chain Market Basket, which has continued to flourish following mass protests in 2014 involving the ousting of a beloved CEO.
While key ingredients for acquiring a good corporate reputation, such as high quality, outstanding service, and competitive prices, are relatively well understood, there are seemingly countless ways in which a brand might be damaged. It could be the result of unethical conduct, like what happened to the Volkswagen brand following the reveal of its so-called emissions scandal in 2015. Reputational damage could also result from poor security practices, as evidenced by the 2017 Equifax data breach, which exposed the sensitive data of over one hundred million people and caused heavy damage to its reputation.
Speaking of data breaches, the fear of cybercrime also commonly appeared as a separate response in our survey. And that is no wonder, as cyberattacks like distributed denial of service (DDoS) attacks are increasing in frequency every year. Such attacks can wreak havoc on a company’s internet infrastructure, potentially sending domains and web-based services offline for hours at a time and breaking functionality for their users.
Cybercrime can have serious consequences for a company’s bottom line in several ways, whether measured in lost time and productivity, cost necessary to fight the attacks, or simply in the loss of customer trust following a leak of sensitive data or failure to provide services according to expectations. The above-mentioned Equifax breach resulted in considerable brand damage, and DDoS attacks can easily result in thousands of dollars in damages stemming from a lower credit rating or higher insurance premiums.
It seems that no matter where you turn for news, there is discussion about worldwide economic stagnation. Whether focusing specifically on Europe or China, Japan or the United States, the one constant seems to be the belief in some kind of synchronized global economic slowdown.
In modern financial theory, a firm’s exposure to general market risk is known as its “beta.” Although the betas of banks and financial service companies are relatively low compared to other industries, they are still correlated in a positive direction, meaning that they are still expected to be negatively impacted in response to a fall in the overall market.
Few financial organizations outside the biggest banks can hope to achieve any kind of influence over fiscal and monetary policy, making the signs of an impending global economic slowdown concerning for financial professionals who are otherwise mostly powerless in the face of an economic downturn. With that said, there are ways for a company to prepare for widespread economic turbulence. Useful strategies include addressing the possibility of facing a poor economy well in advance, maintaining a long-term orientation despite rocky short-term performance, and making decisions based on growth prospects as well as cost reduction. Planning well in advance and building financial buffers will go a long way towards mitigating the effects of a coordinated economic downturn.
Similar to fears of general economic slowdown, a good number of financial professionals responded that regulatory and legislative changes pose a risk to their companies in 2019. Much talk has already been generated about the exceptionally high costs of compliance for companies in the financial industry, with overall regulations seemingly doubling every few years and costing banks upwards of one hundred billion dollars annually.
For an example of legislation significantly impacting the business operations of financial institutions, look no further than the Dodd-Frank Wall Street Reform and Consumer Protection Act. Passed in 2010 while still on the heels of the financial crisis and rolled out over several years, the legislation placed restrictions on the way banks could engage in investments and speculative trading, and once again eliminating proprietary trading altogether. While the ostensible purpose of the legislation was to reduce systemic financial risk and protect consumers, it also strained the profitability of small community banks and drove some out of business altogether, with the US losing 14% of such institutions between 2010 and 2014. An understanding of these consequences resulted in a partial Dodd-Frank rollback in 2018, where small lenders were exempted from certain loan disclosure requirements.
Looking outside the US, the European General Data Protection Regulation (GDPR), enacted in 2016 and implemented in 2018, is perhaps the most high-profile example of online data privacy regulation. The GDPR places many requirements on how companies are to treat consumer data, individually costing companies millions of dollars in compliance worldwide and imposing serious costs on small and medium-sized businesses. Now, many believe that the US will soon follow suite in enacting data privacy legislation, especially on large technology companies like Facebook, undoubtedly adding further to compliance costs.
In an economic system marked by competition, successful companies cannot simply sit on their laurels, lest an ambitious industry upstart appear and offer superior products or lower prices to entice customers away. This is no different in the financial industry, with the advent of financial technology and new means to invest and save appearing along with the proliferation of smartphones and other mobile internet-connected devices.
Indeed, traditional financial institutions have encountered competition in recent years from smartphone stock trading apps like Robinhood, as well as from online loan and impact investing platforms. Meanwhile, tech giants like Amazon and Google always pose an outside threat to disrupt virtually any industry, including financial services. Just look at Apple Pay, which allows iPhone users to achieve common banking functions like swiping a credit card or sending money to family or friends.
And this is all to say nothing about the potential for cryptocurrencies to one day gain more traction and cause a huge upheaval in the way financial intermediaries operate. While anyone who has followed the cryptocurrency scene over the past few years can attest to the significant volatility in the sector, that has not stopped large financial institutions like Bank of America from expressing worry about their growing popularity and seeking ways to stay ahead of potential developments in blockchain technology.
In the face of such increasing competition in the financial sector, it is necessary for companies to be able to innovate to continue to prosper. In technology, Apple was a dominant force for innovation during the time of Steve Jobs, but recent sales decline has come along rumblings concerning a lack of innovation coming out of the company.
Of course, Apple is still an industry giant and will not be going away anytime soon, as has been demonstrated by the reveal of the Apple Card, a partnership with Goldman Sachs and Mastercard that offers a credit card integrated directly into the iPhone’s Wallet app, as well as new subscription services in news and television programming. Apple stock has continued to rise despite poor headlines earlier in the year, serving as a reminder that even the most successful companies must innovate to stay ahead of the competition.
Innovation that lets one company stay ahead of the competition could end up changing the way the entire industry operates, leaving those slower to adapt behind. Disruptive technologies can take the form of service ecosystems like Apple Pay, new investing platforms like the Robinhood app, or even would-be money of the future like cryptocurrencies.
In such a constantly changing industry as finance, there is always the threat of new technologies that could draw consumers away from traditional practices. For organizations to be successful and survive long into the future, such changes must either be anticipated or adapted to as well as possible. Apple Card, for instance, promises to attract existing Apple users with its ease of use and lack of annual fees, which has undoubtedly already spurred other major credit card companies to evaluate and improve their own offerings where they see fit.
The problem of attracting and retaining quality talent was another common refrain from the financial professionals we surveyed. High turnover rates require resources to be devoted to hiring and training employees rather than put towards other valuable business development goals. It also can affect employee morale and make it difficult to create a positive company culture, where employees understand and share the organization’s values and mission.
With unemployment low across the US, companies must work hard to attract the best and brightest, offering perks such as professional development program, an appealing workplace culture, and sometimes simply just more money than competitors.
“Time is money,” and nowhere is this more true than in the financial sector. Business interruptions result in lower productivity, lower profit, and, depending on the situation, potential brand damage. Such interruption could come as a result of cyberattacks, as outlined before, or may be simply caused by extreme weather events.
Purchasing business interruption insurance is one option some companies use to mitigate such a risk, although such policies cover only loss or damage to tangible items and not lost profits. In any case, there is no doubt that business interruptions are best to be avoided.
Similar to the fear of regulatory or legislative changes, political risk and uncertainty also factored among the twelve most common survey responses. Sudden changes in the political winds can have very real consequences for companies, as has been illustrated clearly with the recent arrest of Huawei’s CFO in Canada.
Furthermore, recent threats of tariffs to be imposed against China and Europe by the United States also impacts business prospects for many companies operating within their borders. As with the fear of economic slowdown, the best way to deal with political risk is to make contingency plans well in advance regarding how to deal with potential disturbances to certain markets or supply chains. While no single company can control such systematic risks, those that position themselves to be resilient in the face of external shocks have the best chance to handle political uncertainty in stride.
Speaking of lack of control, respondents also mentioned third party liability as a major risk that they fear in 2019. While the exact situations where third party liability arises may vary between different industries, it can occur whenever a firm uses an outside company to provide some kind of service. Third party liability risk is especially important in the financial industry, where financial service firms face liability for the actions of vendors. As a result, it is vitally important for financial firms to thoroughly evaluate third parties before entering into official partnerships.
The banking industry in particular has been ahead of the pack in establishing systems for addressing third party liability risk. Motivated by the aforementioned increase in frequency and severity of cyberattacks, banks have increasingly integrated vendor risk management into their operations. Processes commonly used to address third party liability include preliminary risk assessments, careful drafting of contract provisions, and ongoing oversight and monitoring of third party vendors.
While it is impossible to fully eliminate third party liability except by deciding to not engage in partnerships entirely, the best way to mitigate third party risk is to select opportunities carefully and exercise prudence in all dealing with outside business partners.
Rounding out the list of the 12 most common survey responses is commodity price risk. Commodity price risk is defined as “the price uncertainty that adversely impact the financial results of those who both use and produce commodities.” Notable commodities that cause price risk for companies and consumers alike include oil, corn, cotton, aluminum, and steel. Firms facing significant commodity price risk usually engage in hedging through the use of futures contracts on global exchanges like the Chicago Mercantile Exchange.
The recent steel and aluminum tariffs imposed by the United States illustrate how commodity price risk may manifest and negatively impact companies involved. Following the enactment of the tariffs, publicly traded steel companies have suffered in terms of stock valuations and general company health as they face higher prices, lower output, and lower sales.
While few of these risks can be fully eliminated, having a complete risk management program in place can go a long way towards mitigating catastrophic events.